Terms & Conditions

Effective date: 18 December 2025

This notice explains how August Collections (“we”, “us”, “our”) uses personal data when staff (employees, contractors, and temporary workers) access and use the August Collections Handbook (“Portal”).

This notice covers

This notice applies to personal data processed through the Portal and related systems (for example: identity management, single sign-on, multi-factor authentication, access controls, audit logging, and security monitoring). It does not replace other internal or HR privacy notices that apply to broader employment/engagement processing.

Personal data we process

A. Account and identity data

  • Name, username/user ID, staff/contractor ID
  • Work email address, work phone number (if used for account recovery or multi-factor authentication)
  • Department/team, job title, location (work site), and other role attributes needed for access control
  • Roles/permissions, group memberships, access approvals

B. Authentication and security data

  • Login timestamps and authentication events (successful/failed attempts)
  • Multi-factor authentication status and method (e.g., authenticator enabled; phone number if SMS is used)
  • Password reset and account recovery events

C. Portal usage and technical data

  • IP address, device and browser information, operating system
  • Session identifiers and strictly necessary cookies used to keep you signed in and secure the Portal
  • Activity/audit logs showing which areas of the Portal were accessed and actions taken (where needed for security, access governance, and compliance)
  • Error logs and diagnostic data (to maintain and troubleshoot the Portal)

D. Support and communications

  • Support tickets, requests, and messages submitted through the Portal
  • Communications relating to access issues, security incidents, or Portal changes

How we use your data (purposes)

  1. Authenticate you and provide access (including MFA and account recovery).
  2. Administer accounts and permissions (role-based access, approvals, provisioning/deprovisioning).
  3. Protect security and prevent misuse (detect suspicious activity, investigate incidents, enforce security policies).
  4. Operate and improve the Portal (maintenance, troubleshooting, service quality).
  5. Audit, compliance, and governance (access logging, internal controls, responding to legal/regulatory requests).
  6. Business continuity (backup, disaster recovery, and continuity testing).

Legal bases (UK GDPR / EU GDPR)

  • Performance of a contract (e.g., providing staff systems/services required for your role).
  • Legal obligation (e.g., record-keeping or security obligations where applicable).
  • Legitimate interests (e.g., operating a secure staff portal, preventing fraud/misuse, protecting company and client data, ensuring system integrity).
  • Consent (only where genuinely optional; if we rely on consent, we will explain this at the point of collection and you can withdraw it).

Monitoring and audit logging

The Portal generates logs to keep systems secure, manage access, comply with policies, and investigate incidents. Access to logs is restricted on a need-to-know basis. Monitoring is designed to be proportionate to security and compliance risks.

Who we share data with

  • Relevant internal teams (e.g., IT, security, compliance, internal audit) and, where applicable, our group companies
  • Service providers acting on our instructions (e.g., hosting/cloud services, identity/SSO/MFA providers, managed IT/security providers, help desk tools)
  • Professional advisers (e.g., legal, auditors) where necessary
  • Authorities (e.g., regulators or law enforcement) where we are legally required or permitted to do so

We require service providers to protect personal data and to use it only to provide services to us.

International transfers (UK, EEA and U.S.)

Because we operate across the UK and the EEA and may use service providers in the U.S., your data may be accessed, stored, or otherwise processed in the UK, EEA, and/or the United States.

Where international transfer rules apply, we use appropriate safeguards, such as:

  • Adequacy decisions/regulations where available (meaning the relevant authority has recognised a jurisdiction as providing an adequate level of data protection).
  • Standard Contractual Clauses (SCCs) for transfers from the EEA to recipients outside the EEA, together with any required risk assessments and supplementary measures.
  • The UK’s International Data Transfer Agreement (IDTA) and/or the UK Addendum to the EU SCCs for restricted transfers from the UK, together with any required risk assessments and supplementary measures.
  • The EU–U.S. Data Privacy Framework and the UK Extension/UK–U.S. data bridge where the U.S. recipient is appropriately certified and listed.

We keep these arrangements under review and will update our safeguards if transfer requirements change.

How long we keep data

We keep Portal data only as long as needed for the purposes in this notice. Typical retention may include:

  • Account and permissions data: for the period you have access, plus 12 months, as necessary
  • Security and audit logs: typically 12 months (and longer if needed for investigations or legal claims)
  • Support records: typically 12 months after ticket closure

Retention may vary depending on legal requirements, incident handling, or policy obligations.

Security

We use appropriate technical and organisational measures to protect Portal data, such as access controls, least-privilege permissions, logging, encryption where appropriate, and security testing.

Your rights

Depending on your location and applicable law, you may have rights to request:

  • Access to your personal data
  • Correction of inaccurate data
  • Deletion or restriction (in certain circumstances)
  • Objection (including to processing based on legitimate interests)
  • Data portability (in certain circumstances)
  • Withdrawal of consent (where consent is used)

Changes to this notice

We may update this notice from time to time. The latest version will be posted on the Portal and the effective date updated.